Drivers beware the modern hacker

The only hacker a traditional car owner fears is one with a thin sliver of metal called a “slim jim” used to unlock car doors.

Less tangible hacking tools can be a lot more dangerous for modern cars, which can be tech-heavier than a space shuttle.

Many new cars bristle with computers and connected technology: chips to check maintenance, streaming music, keyless entry, brakes linked to a car’s computer system, hands-free calling, self-parking and other features to assist drivers. Then there’s the ability to communicate with other vehicles to scope out road conditions and all sorts of devices connecting to the dashboard. More gizmos appear every year to make driving safer, faster, more efficient and more entertaining,

Those layers of technology expose vehicles to hackers who can evolve more quickly than carmakers can keep up.

“Obviously the vehicles on the streets today were not prepared for these incredibly fast-moving symptoms of connectivity,” said Thomas Born, chief security officer at Vodafone Automotive.

Hacking researchers Charlie Miller and Chris Valasek last year demonstrated the vulnerabilities of a modern connected car. They remotely accessed the dashboard system of a Jeep Cherokee and shut down its transmission as it drove down the highway. Their stunt, chronicled in Wired magazine, led to a recall of 1.4 million cars.

The pair, now working for Uber’s Advanced Technology Center, showed off a new series of hacks this August at the Black Hat security conference in Las Vegas — a meeting that drew 15,000 computer security experts. They were able to cut power steering, lock the parking brake and force the test Jeep Cherokee to skid.

“There’s no reason to think that this car company, or just American cars, is the only one that could be hacked,” Miller told the conference.

The vulnerability of complexity

A modern car runs about 100 million lines of computer code. The central flight software from retired space shuttles had around 400,000 lines, according to NASA.

Automakers used to bashing steel and molding carbon fiber are less confident in making their computer systems resilient to cyber adversaries.

Carmakers “focus on safety because it makes them feel comfortable. Everything that comes on top of that makes them feel uncomfortable,” said Thorsten Held, managing director at whiteCryption, a company working with carmakers on security issues.

Lawmakers in Brussels and across the EU have started to discuss how to build in better standards for cybersecurity. Car safety checks, brakes and seat belts have been regulated for decades, but cybersecurity on entertainment systems or GPS navigation haven’t.

EU legislators are working with the industry to solve the issue, but for now they are letting carmakers come up with their own solutions instead of imposing regulatory fixes.

“We believe we’re behind the curve on this,” said Steve Purser, head of core operations at the EU’s cybersecurity agency ENISA.

Regulators playing catch-up

Crafting laws and regulations in an area of rapid technological change and lightning-fast hackers can feel futile.

“The downside with regulations is that they take a long time to enact and hackers are constantly challenging … these systems,” a spokesman for Swedish carmaker Volvo said.

Car manufacturers and their partners set up a sort of self-help group 15 months ago called the Automotive Information Sharing and Analysis Center. But companies are cautious about sharing technology secrets with their rivals because they fear that could undercut their competitive advantage. It took a year for the group to come up with a set of best practices.

That reluctance doesn’t help cyber resilience. “With a laptop all the software is known. It is kind of different for car manufacturers,” said Sergey Lozhkin, senior security researcher at the cybersecurity giant Kaspersky. “Any car manufacturer keeps its code and develops it itself.”

Carmakers must compete for talent with cybersecurity firms, technology firms and almost every industry looking to go digital. Volvo is hiring hundreds of software engineers.

“Finding information security experts is like finding unicorns. Finding one that has the basic skills [for car security] and the right background … is even more rare,” said Lorie Wigle, who leads Intel’s security efforts.

Companies including Tesla and Chrysler have boosted bug bounty programs, inviting hackers to discover vulnerabilities and report them in exchange for a finder’s fee.

Though carmakers are evolving, customers haven’t awoken to the danger posed by hackers. If a buyer is spooked by a car price tag boosted by expensive security measures, carmakers may balk at the cost of tightening up their information systems.

“Each conversation we have with the automakers is still about money, like with other clients … Everybody is trying to get a good deal — especially in the automotive industry,” said Held, adding that this has led to an under-investment in cyber security. “The question is: Will we wait to do something until the big disaster event, or will industry do something before that?”

This article is part of a POLITICO Special Report: The future of driving.